Only one unencrypted file, the load-point driver, is ever written to the disk during the entire process. Duqu was clearly designed to minimize detectable footprints left on the disk. – Symantec, "W32.Duqu: The precursor to the next Stuxnet" (PDF)
Not everyone believes in Son of Stuxnet
Not everyone is convinced Duqu is such a big deal. Taking advantage of a flaw in the Windows kernel is a "pretty common" technique for malware of all kinds, according to Andrew Storms, director of security operations at nCircle Security, as quoted in Infoworld.
Evidence that Stuxnet and Duqu are directly related is "circumstantial at best" Jon Ramsey, CTO of Dell SecureWorks told Computerworld.
Both viruses are sophisticated in the way they work, but all the similarities are in one module from each – the kernel driver that allows it to inject itself into a specific Windows process, Ramsey said.
Other techniques, such as hiding encrypted DLLs in files using a .PNF extension, which is what Windows uses to store precompiled setup information; fake digital signatures, rootkits to hide files and other techniques used by both Stuxnet and Duqu are also used by many other malware writers for the same purposes, Ramsey said.
Having to use a crutch like that to get past routine security – and having to rely on Word documents for transport – may mean Duqu is not only not related to Stuxnet, but that it's a lot less sophisticated than many seem to think, Storms told Infoworld.
Maybe, but I doubt it.
Too smart to be 'just a virus'
Storms is right that a lot of viruses exploit Windows flaws.
Usually they exploit known flaws and count on users not having installed all the patches they should.
Most virus writers don't discover new flaws in the kernel and use them as an entry point for a colony of malware that communicates sotto voce among themselves and hand responsibility for communicating with the home office to versions of themselves living in Administration rather than R&D.
Symantec: Duqu: the precursor to the next Stuxnet, flowchart of Duqu installation procedure.